A Fax Machine, a $4.75 Million Penalty, and Why HIPAA Still Catches Organizations Off Guard

In 2020, a large health system called Premera Blue Cross agreed to pay $6.85 million to the Office for Civil Rights after a breach exposed the protected health information of 10.4 million people. The root cause? A phishing email that went undetected for nearly nine months. Not a sophisticated nation-state attack. A phishing email.

That story isn't ancient history. It's a blueprint for what I still see happening in clinics, hospitals, billing companies, and business associates right now in 2026. HIPAA compliance hasn't gotten easier. The rules haven't relaxed. And OCR hasn't stopped investigating.

If you're responsible for any aspect of PHI — whether you're a compliance officer, practice manager, or IT director — this post is for you. I'm going to walk through where HIPAA enforcement stands today, the mistakes I see organizations repeat, and exactly what your workforce needs to do differently this year.

What HIPAA Actually Requires (and What Most People Get Wrong)

It's Not Just a Privacy Law

Most people hear "HIPAA" and think "don't share patient records." That's like saying fire codes are about not lighting matches indoors. HIPAA is a comprehensive federal framework with multiple rules, each carrying distinct obligations.

The Privacy Rule governs who can access and disclose PHI. The Security Rule sets administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). The Breach Notification Rule dictates exactly how and when you must report unauthorized disclosures. And the Enforcement Rule gives HHS the authority to investigate complaints and impose civil monetary penalties.

Every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — must comply with all of them. So must their business associates. If your organization touches PHI in any form, you're in scope.

The Risk Analysis That Nobody Finishes

Here's what happens in my experience: an organization runs a risk analysis once, checks the box, and files it away. Three years later, OCR comes knocking and asks to see an updated assessment. It doesn't exist.

OCR has made clear — repeatedly — that a risk analysis is not a one-time event. It must be ongoing. The HHS guidance on risk analysis states that covered entities must "regularly review records of information system activity." Regularly. Not once during onboarding.

The settlement history backs this up. In 2018, Anthem paid $16 million — the largest HIPAA settlement in history at the time — after a breach affecting 78.8 million people. A key finding? Failure to conduct an enterprise-wide risk analysis. It keeps showing up because organizations keep skipping it.

The $1.19 Million Mistake Your Front Desk Might Be Making Right Now

I recently worked with a multi-location orthopedic practice that stored paper sign-in sheets at the front desk — visible to every patient in the waiting room. Names, appointment times, even reason-for-visit codes. All in plain sight.

This isn't hypothetical risk. In 2019, Elite Primary Care paid $36,000 in a settlement with OCR after impermissible disclosure of PHI on a web server. Smaller organizations aren't exempt. OCR's Right of Access Initiative has specifically targeted smaller practices.

Your front desk staff, receptionists, and intake coordinators handle PHI dozens of times per day. They answer phones, verify insurance, confirm appointments, and hand out forms. Each of those interactions is a potential disclosure event. That's exactly why role-specific education — like our HIPAA Training for Employees: Front Desk & Reception — exists. Generic awareness isn't enough for the people on the front line.

What Is HIPAA Compliance? A Quick-Reference Answer

HIPAA compliance means a covered entity or business associate meets all requirements of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule as administered by the U.S. Department of Health and Human Services (HHS). Compliance requires ongoing risk analysis, workforce training, physical and technical safeguards for ePHI, documented policies and procedures, and timely breach notification to affected individuals, HHS, and in some cases the media.

Right of Access Is Still the Sharpest Blade

Since OCR launched its Right of Access Initiative in 2019, it has resolved more than 45 cases involving providers who failed to give patients timely access to their medical records. Penalties have ranged from $3,500 to $240,000. The message is unmistakable: when a patient asks for their records, you have 30 days. Period.

I've seen practices drag their feet because the request came from a lawyer, or because the patient owed a balance, or simply because the medical records department was understaffed. None of those are valid excuses under HIPAA. The HHS guidance on individual access is explicit: you cannot deny access based on unpaid bills.

Hacking and IT Incidents Dominate Breach Reports

According to OCR's breach portal, hacking and IT incidents account for the vast majority of large breaches reported in recent years. Ransomware, phishing, and credential theft are the top vectors. If your organization hasn't updated its Security Rule compliance posture — including encryption, multi-factor authentication, and audit controls — you're operating on borrowed time.

Workforce Training: Where Compliance Lives or Dies

I'll say it plainly: no policy manual will save you if your workforce doesn't understand HIPAA. OCR settlements routinely cite "failure to train workforce members" as a contributing factor. The Security Rule at 45 CFR Part 164, Subpart C requires security awareness training for all members of a covered entity's workforce.

"All members" means everyone. Clinicians, admin staff, volunteers, contractors, interns. If they can access PHI, they need training — and that training must be documented.

Annual Refresher Training Isn't Optional

HIPAA doesn't specify "annual" in the statute, but OCR's enforcement pattern and industry best practice make clear that once-a-career training doesn't cut it. Threats evolve. Staff turns over. New technology gets deployed. Your compliance program must keep pace.

That's why I recommend every covered entity schedule an Annual HIPAA Refresher for all workforce members — not as a formality, but as an operational safeguard. The organizations I work with that do this consistently have fewer incidents, faster breach response times, and cleaner audit results.

New Hires Need More Than an Orientation Slide

The most vulnerable period for any organization is the first 90 days after a new hire starts. They don't know your systems, your policies, or your culture around PHI handling. A ten-minute orientation video won't cover it.

A structured onboarding program — starting with something like the HIPAA Introduction Training 2026 — gives new workforce members a solid foundation. They learn the rules, understand the stakes, and see real-world scenarios that map to their daily responsibilities.

Five Things to Fix Before Your Next OCR Audit

  • Update your risk analysis. If it hasn't been revised in the last 12 months, it's stale. Document every change in systems, vendors, and workflow.
  • Audit your Business Associate Agreements. Every vendor that touches PHI needs a current, signed BAA. No exceptions — not even for your cloud storage provider or your shredding company.
  • Review physical safeguards. Workstation placement, screen locks, badge access to records areas, and disposal of paper PHI all need documented procedures.
  • Test your breach notification process. Run a tabletop exercise. Can your team notify affected individuals within 60 days of discovery? Do they know who reports to HHS?
  • Document all training. Every session, every attendee, every date. If you can't prove it happened, OCR will treat it as if it didn't.

The Cost of Getting HIPAA Wrong Keeps Climbing

In 2023, OCR settled with Banner Health for $1.25 million after a 2016 breach affecting nearly 2.81 million people. The investigation found long-standing failures in risk analysis and risk management. That's seven years between the breach and the settlement — a reminder that OCR has a long memory and deep patience.

But the financial penalties are only part of the cost. Breach notification expenses, forensic investigation fees, legal counsel, reputational damage, and lost patient trust compound quickly. I've seen small practices spend $200,000 responding to a breach that a $2,000 training investment could have prevented.

HIPAA Isn't Going Away — Your Compliance Program Shouldn't Either

Every year, I hear someone predict that HIPAA will be replaced, overhauled, or weakened. Every year, the opposite happens. HHS proposes tighter rules. OCR investigates more complaints. Penalties increase. The regulatory direction is clear.

Your organization doesn't need to be perfect. But it does need to be proactive. A current risk analysis, documented policies, signed BAAs, technical safeguards for ePHI, and ongoing workforce training — these are the fundamentals. Get them right, and you're ahead of most covered entities in the country.

Get them wrong, and you'll learn about HIPAA the expensive way.

Ready to build a stronger compliance foundation? Browse the full HIPAA training catalog and find the right course for every role in your organization.